If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

2. Look for driving me nuts
Find driving me nuts at one of the best sites the Internet has to offer!www.redzip.com/

with variations - usually upspiral and redzip, and also ezanga keep popping up. Also i've noticed a marked decrease in overall quality of hits returned.

I have run HJT - and deleted anything sketchy, run spybot, run adaware, run spysubtract - googled for any info possible, gone through my registry, and through the usual C drive areas where these types of things linger - and I can't make it go away.

The relevancy ads are the only issue. No popups or anything like that. Has anyone else had this problem, or have a solution?

Are they browser ads, or maybe net send ads? I would suggest maybe downloading the Microsoft Antispyware program and giving that a shot. Also, might want to post a HJT log on the site so we can take a look at it. Have you scanned for viruses also?

Sophos has been acting up for me so i'm actually reinstalling it now, but I'm running a trendmicro scan since i'm not quite sure when sophos quit. TrendMicro's beta 6.0 is looking kind of cool witht he built in spyware scan - let's see how it does. I will try MS Spyware scan next if TrendMicor doesn't find anything.

Oh as far as the ads - attached is a screen capture. it seems like what happens is that i will put in my search text (in this case - Trend Micro) and it will run the search, return the results, and then the first 2 or 3 entries will be changed to whatever ad-listing is applicable - in this case i believe it's stop-sign.com. If i use quotation makrs in my search it is upsprial and redzip and i think ezanga comes up when i use AND in my search.

Did you setup those servers as your DNS servers? This looks like a browser redirection type problem, that maybe its redirecting your home page somewhere bogus, yet still shows the URL that you think it is. I can't be positive this is what is going on, but I would be very leary of those lines.

I know automated scans give mixed results, but I ran your HighjackThis file through HijackThis, but am unable to post the results. You would have to post your log there yourself, if you haven't done so already.

But I got 11 unknown applications and the five possible nasty hits that zENGER mentioned. I tried to search the 11 unknowns in different combinations, but was unsuccessful in turning up any solid hits on those items in question exept this one:

O4 - Global Startup: Fax Sr. Notify.lnk = C:\FaxSrCli\Notify.exe

When I ran Notify.exe through google I got a hit from symantec about a Backdoor.Armageddon.B found here. . Though it is not the exact same extension as the one found on your logs, it was using a Notify.exe

Backdoor.Armageddon.B is a variant of a zoo Trojan. It is a server that is accessed through any number of known clients.

When it runs, the executable moves itself to %windir%\System\Notify.exe.

It modifies the %windir%\System.ini file so that it will run when you restart Windows. In the [boot] section of the file, it appends %windir%\system\Notify.exe to the shell= line. Typically this line is shell=explorer.exe, although some systems have additional boot shells loaded.

NOTES:

* %windir% is a variable that refers to the folder in which Windows is installed. By default this is C:\Windows or C:\Winnt..
* The modification to the System.ini file is effective only on Windows 95/98/Me-based computers.

I am far from an expert, so it could be nothing. I was about to just move on until after reading this thread about 3 or 4 times when I noticed that you mentioned that your AV was acting up and that you were reinstalling it this last time I looked the thread back over (actually, I did notice that the first time, but never made a connection till last) and remembered seeing this there, as well, at the very top on what a Backdoor.Armageddon.B does:

Backdoor.Armageddon.B allows unauthorized access to the infected computer. When it is run, it disables antivirus and firewall software.

And this, also under "Notes":

When the infected computer is started, the Trojan notifies the hacker. This Trojan uses port 6969. It also searches for major antivirus and firewall packages, and disables them if they are running.

So that is why I was asking you about your AV and firewall, because I recalled you mentioning that, and that is what lead me to post after all. Again, I am not an expert in this matter, but I just wanted to see if I could find anything out for you. I'm just trying to help find a solution, so, don't kill the messenger Hope this is of some use to you.

Might want to run "netstat -ao" on the machine and find out what ports its listening on.

Also, might want to use msconfig and turn EVERYTHING off, and give it a go that way. You can then easily turn everything back on. Identify what processes run even after everything is turn off after a reboot.

Also, 192.168.1.14 & 192.168.1.140 are probably the IP addresses of the primary and secondary DNS servers for atlantaregion.com.

I only have one other piece of info to add to this thread in regards to Igfxtray.exe and Hkcmd.exe
From AnswersThatWork:

Recommendation :
Although great in theory, on some PCs we have found that whenever IGFXTRAY and HKCMD are running, Windows Explorer is prone to hanging and showing as "not responding" in the Task List. Our recommendation, therefore, is that you should not have this tray icon running, and that you should also not use the hotkey facility that comes with it.

This is more or less a personal judgement call as neither process is malicious in nature.

The object of war is not to die for your country but to make the other bastard die for his - George Patton

i should prolly have mentioned this is a corporate machine - behind a firewall that's not acting up, faxsr notify is a legit program and i got sophos back up and running. for soem reason on my machine it stops updating and uninstalls itself every few days. I have a feeling it might be because i restart my machine each night, and it's pending an actual login before starting and maybe gets locked up. I'm not really sure, but i will test it.